In submissions to a consultation on the exposure draft, the Australian Industry Group (Ai Group) and the Association for Data-driven Marketing and Advertising (ADMA), as well as its associated organisations the Institute of Analytics Professionals of Australia (IAPA) and the Australian Interactive Media Industry Association of Australia (AIMIA), indicated that they did not see the need for such a scheme.

“There has been no evidence provided to establish that there is an imperative for the proposed provisions,” ADMA’s submission argued.

“The Office of the Australian Information Commission (OAIC) has had voluntary breach notification guidelines in place for some time and, as far as we are aware, there is no evidentiary basis that establishes the need for the legislation.”

The Digital Industry Group Incorporated (DIGI), whose members include Google, Twitter, Facebook, Yahoo! and Microsoft, said that it believes that “the current voluntary notification scheme is working well”.

In a similar vein, the Interactive Games and Entertainment Association that the current regime of the Australian Privacy Principals (APP) and voluntary notifications to the OAIC “is sufficient and fit-for-purpose”.

The Australian Information Industry Association (AIIA) said it supports in principle a mandatory serious data breach notification scheme but the draft bill’s regulatory impact statement (RIS) and associated discussion paper had not fully explored alternatives to the scheme.

“If the overall aim is to protect consumer information and empower consumers to take action when a breach occurs, there are a number of ways to achieve this short of a mandatory reporting scheme. The current options in the RIS go from do nothing, a mandatory scheme or industry codes as a middle ground,” the group’s submission stated.

In contrast, Macquarie Telecom’s submission argued that “the creation of a compulsory data breach notification process is warranted and timely.”

“This is a logical flow on from the mandatory data retention requirements to ensure that the huge amount of data collected under that regime is adequately protected and, if it is breached, people are made aware of the breach and can take steps to minimise any harm,” the company argued.

Similarly, Microsoft said it was supportive of the bill, saying it “strikes an appropriate balance between protecting the privacy of individuals, without imposing an overly administrative burden on Australian Privacy Principal Entities”.

PayPal also backed in principle the legislation of a notification scheme.

Telstra said it supported the Attorney-General’s Department’s efforts to translate the current “voluntary guidelines into a legislative instrument”.

Why so serious, breach?

“The Bill defines a ‘serious data breach’ as one that creates a ‘real risk of serious harm’ to affected individuals,” ADMA’s submission stated.

“In turn, a ‘real risk’ is defined as being ‘not a remote risk’. Given that ‘remote risk’ is not defined this type of circular definition is not helpful.

“Although the definitions are drawn from the current voluntary regime enshrining such vague definitions in legislation will only serve to drive business to adopt an overly cautious approach to reporting which in turn is likely to result in notification fatigue… In addition, the increased regulatory burden will result in a corresponding increase in the cost of doing business – a cost that will ultimately be borne by the consumer.”

Other language in the bill frequently addressed in submissions states that organisations must notify in cases where they “ought reasonably to be aware” that a breach has occurred, and that a notification must be issued “as soon as practicable after the entity becomes so aware, or ought reasonably to have become so aware”.

“The concept of ‘ought reasonably to have become so aware’ adds complexity to determining when to notify and to the application of the legislation,” Telstra said.

“In our view, the concept should be removed and reliance should simply be placed on the question of whether an entity that is aware of an issue has sufficiently reasonable grounds to believe there has been a serious data breach.”

The telco noted that organisations that are “willfully blind” may be subject to penalties under APP 11.